/** * Writes audit information and redirects the user to the password change form. * * @param eZUser $user */ protected static function passwordHasExpired($user) { $userID = $user->attribute('contentobject_id'); // Password expired eZDebugSetting::writeDebug('kernel-user', $user, 'user password expired'); // Failed login attempts should be logged $userIDAudit = isset($userID) ? $userID : 'null'; $loginEscaped = eZDB::instance()->escapeString($user->attribute('login')); eZAudit::writeAudit('user-failed-login', array('User id' => $userIDAudit, 'User login' => $loginEscaped, 'Comment' => 'Failed login attempt: Password Expired. eZPaExUser::loginUser()')); // Redirect user to password change form self::redirectToChangePasswordForm($userID); }
/** * Returns the authorization object for a user & application * @param ezpRestClient $client * @param eZUser $user */ public static function fetchForClientUser(ezpRestClient $client, eZUser $user) { $session = ezcPersistentSessionInstance::get(); $q = $session->createFindQuery(__CLASS__); $q->where($q->expr->eq('rest_client_id', $q->bindValue($client->id)))->where($q->expr->eq('user_id', $q->bindValue($user->attribute('contentobject_id')))); $results = $session->find($q, __CLASS__); if (count($results) != 1) { return false; } else { return array_shift($results); } }
/** * Authorizes this application for a user * @param eZUser $user * @return void */ public function authorizeFor($user = null) { $authorization = new ezpRestAuthorizedClient(); $authorization->rest_client_id = $this->id; $authorization->user_id = $user->attribute('contentobject_id'); $session = ezcPersistentSessionInstance::get(); $session->save($authorization); }
/** * Does some house keeping work once a log in has succeeded. * * @param eZUser $user */ protected static function loginSucceeded($user) { $userID = $user->attribute('contentobject_id'); // if audit is enabled logins should be logged eZAudit::writeAudit('user-login', array('User id' => $userID, 'User login' => $user->attribute('login'))); eZUser::updateLastVisit($userID, true); eZUser::setCurrentlyLoggedInUser($user, $userID); // Reset number of failed login attempts eZUser::setFailedLoginAttempts($userID, 0); }
/** * Send password expiry notification to user * * @param eZUser $user ezuser object that contains the destination email address * @return true if notification sent correctly, false if not. */ function sendExpiryNotification($user) { $userToSendEmail = $user; require_once "kernel/common/template.php"; $receiver = $userToSendEmail->attribute('email'); $mail = new eZMail(); if (!$mail->validate($receiver)) { eZDebug::writeError('Invalid email address set in user ' . $user->attribute('contentobject_id'), 'sendExpiryNotification'); return false; } $tpl = templateInit(); $tpl->setVariable('user', $userToSendEmail); $http = eZHTTPTool::instance(); $http->UseFullUrl = false; $templateResult = $tpl->fetch('design:userpaex/expirynotificationmail.tpl'); $ini = eZINI::instance(); $emailSender = $ini->variable('MailSettings', 'EmailSender'); if (!$emailSender) { $emailSender = $ini->variable('MailSettings', 'AdminEmail'); } $mail->setSender($emailSender); $mail->setReceiver($receiver); $subject = ezpI18n::tr('mbpaex/userpaex', 'Your password is about to expire'); if ($tpl->hasVariable('subject')) { $subject = $tpl->variable('subject'); } $mail->setSubject($subject); $mail->setBody($templateResult); return eZMailTransport::send($mail); }
/** * Generates a serialized draft of the ezuser content * * @param eZUser $user * @return string */ private function serializeDraft(eZUser $user) { return json_encode(array('login' => $user->attribute('login'), 'password_hash' => $user->attribute('password_hash'), 'email' => $user->attribute('email'), 'password_hash_type' => $user->attribute('password_hash_type'))); }
/** * Checks if $user is a participant in this collaboration item * @param eZUser $user * @return bool */ public function userIsParticipant(eZUser $user) { /** @var eZCollaborationItemParticipantLink $participantLink */ foreach ($this->participantList() as $participantLink) { $participant = $participantLink->participant(); if ($participant instanceof eZUser) { if ($participant->attribute('contentobject_id') == $user->attribute('contentobject_id')) { return true; } } else { if ($participant instanceof eZContentObject) { foreach ($user->groups() as $userGroup) { if ($participant->attribute('id') == $userGroup->attribute('id')) { return true; } } } } } return false; }
/** * User setter * @param eZUser $user */ public function setUser(eZUser $user) { $this->user = $user; $this->setAttribute('user_id', $user->attribute('contentobject_id')); }
public static function checkAccess(eZContentObject $contentobject, eZUser $user, $functionName, $originalClassID = false, $parentClassID = false, $returnAccessList = false, $language = false) { $classID = $originalClassID; $userID = $user->attribute('contentobject_id'); $origFunctionName = $functionName; // Fetch the ID of the language if we get a string with a language code // e.g. 'eng-GB' $originalLanguage = $language; if (is_string($language) && strlen($language) > 0) { $language = eZContentLanguage::idByLocale($language); } else { $language = false; } // This will be filled in with the available languages of the object // if a Language check is performed. $languageList = false; // The 'move' function simply reuses 'edit' for generic access // but adds another top-level check below // The original function is still available in $origFunctionName if ($functionName == 'move') { $functionName = 'edit'; } $accessResult = $user->hasAccessTo('content', $functionName); $accessWord = $accessResult['accessWord']; /* // Uncomment this part if 'create' permissions should become implied 'edit'. // Merges in 'create' policies with 'edit' if ( $functionName == 'edit' && !in_array( $accessWord, array( 'yes', 'no' ) ) ) { // Add in create policies. $accessExtraResult = $user->hasAccessTo( 'content', 'create' ); if ( $accessExtraResult['accessWord'] != 'no' ) { $accessWord = $accessExtraResult['accessWord']; if ( isset( $accessExtraResult['policies'] ) ) { $accessResult['policies'] = array_merge( $accessResult['policies'], $accessExtraResult['policies'] ); } if ( isset( $accessExtraResult['accessList'] ) ) { $accessResult['accessList'] = array_merge( $accessResult['accessList'], $accessExtraResult['accessList'] ); } } } */ if ($origFunctionName == 'remove' or $origFunctionName == 'move') { $mainNode = $contentobject->attribute('main_node'); // We do not allow these actions on objects placed at top-level // - remove // - move if ($mainNode and $mainNode->attribute('parent_node_id') <= 1) { return 0; } } if ($classID === false) { $classID = $contentobject->attribute('contentclass_id'); } if ($accessWord == 'yes') { return 1; } else { if ($accessWord == 'no') { if ($functionName == 'edit') { // Check if we have 'create' access under the main parent if ($contentobject->attribute('current_version') == 1 && !$contentobject->attribute('status')) { $mainNode = eZNodeAssignment::fetchForObject($contentobject->attribute('id'), $contentobject->attribute('current_version')); $parentObj = $mainNode[0]->attribute('parent_contentobject'); $result = $parentObj->checkAccess('create', $contentobject->attribute('contentclass_id'), $parentObj->attribute('contentclass_id'), false, $originalLanguage); return $result; } else { return 0; } } if ($returnAccessList === false) { return 0; } else { return $accessResult['accessList']; } } else { $policies =& $accessResult['policies']; $access = 'denied'; foreach (array_keys($policies) as $pkey) { $limitationArray =& $policies[$pkey]; if ($access == 'allowed') { break; } $limitationList = array(); if (isset($limitationArray['Subtree'])) { $checkedSubtree = false; } else { $checkedSubtree = true; $accessSubtree = false; } if (isset($limitationArray['Node'])) { $checkedNode = false; } else { $checkedNode = true; $accessNode = false; } foreach (array_keys($limitationArray) as $key) { $access = 'denied'; switch ($key) { case 'Class': if ($functionName == 'create' and !$originalClassID) { $access = 'allowed'; } else { if ($functionName == 'create' and in_array($classID, $limitationArray[$key])) { $access = 'allowed'; } else { if ($functionName != 'create' and in_array($contentobject->attribute('contentclass_id'), $limitationArray[$key])) { $access = 'allowed'; } else { $access = 'denied'; $limitationList = array('Limitation' => $key, 'Required' => $limitationArray[$key]); } } } break; case 'ParentClass': if (in_array($contentobject->attribute('contentclass_id'), $limitationArray[$key])) { $access = 'allowed'; } else { $access = 'denied'; $limitationList = array('Limitation' => $key, 'Required' => $limitationArray[$key]); } break; case 'ParentDepth': $assignedNodes = $contentobject->attribute('assigned_nodes'); if (count($assignedNodes) > 0) { foreach ($assignedNodes as $assignedNode) { $depth = $assignedNode->attribute('depth'); if (in_array($depth, $limitationArray[$key])) { $access = 'allowed'; break; } } } if ($access != 'allowed') { $access = 'denied'; $limitationList = array('Limitation' => $key, 'Required' => $limitationArray[$key]); } break; case 'Section': case 'User_Section': if (in_array($contentobject->attribute('section_id'), $limitationArray[$key])) { $access = 'allowed'; } else { $access = 'denied'; $limitationList = array('Limitation' => $key, 'Required' => $limitationArray[$key]); } break; case 'Language': $languageMask = 0; // If we don't have a language list yet we need to fetch it // and optionally filter out based on $language. if ($functionName == 'create') { // If the function is 'create' we do not use the language_mask for matching. if ($language !== false) { $languageMask = $language; } else { // If the create is used and no language specified then // we need to match against all possible languages (which // is all bits set, ie. -1). $languageMask = -1; } } else { if ($language !== false) { if ($languageList === false) { $languageMask = (int) $contentobject->attribute('language_mask'); // We are restricting language check to just one language $languageMask &= (int) $language; // If the resulting mask is 0 it means that the user is trying to // edit a language which does not exist, ie. translating. // The mask will then become the language trying to edit. if ($languageMask == 0) { $languageMask = $language; } } } else { $languageMask = -1; } } // Fetch limit mask for limitation list $limitMask = eZContentLanguage::maskByLocale($limitationArray[$key]); if (($languageMask & $limitMask) != 0) { $access = 'allowed'; } else { $access = 'denied'; $limitationList = array('Limitation' => $key, 'Required' => $limitationArray[$key]); } break; case 'Owner': case 'ParentOwner': // if limitation value == 2, anonymous limited to current session. if (in_array(2, $limitationArray[$key]) && $user->isAnonymous()) { $createdObjectIDList = eZPreferences::value('ObjectCreationIDList'); if ($createdObjectIDList && in_array($contentobject->ID, unserialize($createdObjectIDList))) { $access = 'allowed'; } } else { if ($contentobject->attribute('owner_id') == $userID || $contentobject->ID == $userID) { $access = 'allowed'; } } if ($access != 'allowed') { $access = 'denied'; $limitationList = array('Limitation' => $key, 'Required' => $limitationArray[$key]); } break; case 'Group': case 'ParentGroup': $access = $contentobject->checkGroupLimitationAccess($limitationArray[$key], $userID); if ($access != 'allowed') { $access = 'denied'; $limitationList = array('Limitation' => $key, 'Required' => $limitationArray[$key]); } break; case 'State': if (count(array_intersect($limitationArray[$key], $contentobject->attribute('state_id_array'))) == 0) { $access = 'denied'; $limitationList = array('Limitation' => $key, 'Required' => $limitationArray[$key]); } else { $access = 'allowed'; } break; case 'Node': $accessNode = false; $mainNodeID = $contentobject->attribute('main_node_id'); foreach ($limitationArray[$key] as $nodeID) { $node = eZContentObjectTreeNode::fetch($nodeID, false, false); $limitationNodeID = $node['main_node_id']; if ($mainNodeID == $limitationNodeID) { $access = 'allowed'; $accessNode = true; break; } } if ($access != 'allowed' && $checkedSubtree && !$accessSubtree) { $access = 'denied'; // ??? TODO: if there is a limitation on Subtree, return two limitations? $limitationList = array('Limitation' => $key, 'Required' => $limitationArray[$key]); } else { $access = 'allowed'; } $checkedNode = true; break; case 'Subtree': $accessSubtree = false; $assignedNodes = $contentobject->attribute('assigned_nodes'); if (count($assignedNodes) != 0) { foreach ($assignedNodes as $assignedNode) { $path = $assignedNode->attribute('path_string'); $subtreeArray = $limitationArray[$key]; foreach ($subtreeArray as $subtreeString) { if (strstr($path, $subtreeString)) { $access = 'allowed'; $accessSubtree = true; break; } } } } else { $parentNodes = $contentobject->attribute('parent_nodes'); if (count($parentNodes) == 0) { if ($contentobject->attribute('owner_id') == $userID || $contentobject->ID == $userID) { $access = 'allowed'; $accessSubtree = true; } } else { foreach ($parentNodes as $parentNode) { $parentNode = eZContentObjectTreeNode::fetch($parentNode, false, false); $path = $parentNode['path_string']; $subtreeArray = $limitationArray[$key]; foreach ($subtreeArray as $subtreeString) { if (strstr($path, $subtreeString)) { $access = 'allowed'; $accessSubtree = true; break; } } } } } if ($access != 'allowed' && $checkedNode && !$accessNode) { $access = 'denied'; // ??? TODO: if there is a limitation on Node, return two limitations? $limitationList = array('Limitation' => $key, 'Required' => $limitationArray[$key]); } else { $access = 'allowed'; } $checkedSubtree = true; break; case 'User_Subtree': $assignedNodes = $contentobject->attribute('assigned_nodes'); if (count($assignedNodes) != 0) { foreach ($assignedNodes as $assignedNode) { $path = $assignedNode->attribute('path_string'); $subtreeArray = $limitationArray[$key]; foreach ($subtreeArray as $subtreeString) { if (strstr($path, $subtreeString)) { $access = 'allowed'; } } } } else { $parentNodes = $contentobject->attribute('parent_nodes'); if (count($parentNodes) == 0) { if ($contentobject->attribute('owner_id') == $userID || $contentobject->ID == $userID) { $access = 'allowed'; } } else { foreach ($parentNodes as $parentNode) { $parentNode = eZContentObjectTreeNode::fetch($parentNode, false, false); $path = $parentNode['path_string']; $subtreeArray = $limitationArray[$key]; foreach ($subtreeArray as $subtreeString) { if (strstr($path, $subtreeString)) { $access = 'allowed'; break; } } } } } if ($access != 'allowed') { $access = 'denied'; $limitationList = array('Limitation' => $key, 'Required' => $limitationArray[$key]); } break; default: if (strncmp($key, 'StateGroup_', 11) === 0) { if (count(array_intersect($limitationArray[$key], $contentobject->attribute('state_id_array'))) == 0) { $access = 'denied'; $limitationList = array('Limitation' => $key, 'Required' => $limitationArray[$key]); } else { $access = 'allowed'; } } } if ($access == 'denied') { break; } } $policyList[] = array('PolicyID' => $pkey, 'LimitationList' => $limitationList); } if ($access == 'denied') { if ($functionName == 'edit') { // Check if we have 'create' access under the main parent if ($contentobject->attribute('current_version') == 1 && !$contentobject->attribute('status')) { $mainNode = eZNodeAssignment::fetchForObject($contentobject->attribute('id'), $contentobject->attribute('current_version')); $parentObj = $mainNode[0]->attribute('parent_contentobject'); $result = $parentObj->checkAccess('create', $contentobject->attribute('contentclass_id'), $parentObj->attribute('contentclass_id'), false, $originalLanguage); if ($result) { $access = 'allowed'; } return $result; } } } if ($access == 'denied') { if ($returnAccessList === false) { return 0; } else { return array('FunctionRequired' => array('Module' => 'content', 'Function' => $origFunctionName, 'ClassID' => $classID, 'MainNodeID' => $contentobject->attribute('main_node_id')), 'PolicyList' => $policyList); } } else { return 1; } } } }